Hi Neil, I am seeing a similar behaviour. A host that appeared on the list of hosts and from which I could retrieve information (total traffic, protocols, activity patterns, ASN, geo, etc.) is after "some" inactivity not anymore accessible.
Most probably as you said the host drops from cache due to lack of recent activity. Unfortunately I cannot find any like to retrieve the information from cache, it just appears a: Host xx.xx.xx.xx cannot be found.Perhaps this host has been previously purged from memory or it has never been observed by this ntopng instance. I am also interested on a way to debug this "feature". Regards, Daniel On 8 January 2014 04:03, Neil Bartlett <[email protected]> wrote: > Hi Guys > > I have some unexpected behaviour from my ntopng installation. I've very > recently started using ntopng, so I'm not sure if what I'm observing is > correct or an issue. > > I'm running an instance ntopng that I built from r7148 on Raspberry Pi. > I've configured ntopng to listen to an interface (interface 3, eth1) that > is a port mirror of my WAN connection via a Netgear GS108E switch. The > connection is lightly loaded at approx 100MB over 30 mins. > > Is the following behaviour working correctly ... ? > > Packet data is accumulated. Looking at a particular host via the web > interface, all looks good. I can see sensible total traffic, protocols, > activity patterns, ASN, geo, etc. The behaviour I'm interested in occurs > when the host drops from cache due to lack of recent activity -- maybe even > after just a few minutes of inactivity. > > If I search for the host using the search input box on the main web > interface, the returned web page correctly states that the host is not in > cache and provides a link to force the return of the host information from > cache. If I select the link, the host information re-appears (note there is > sometimes a grey busy icon along side the ip address for a few seconds -- I > assume to indicate that the host info is being retrieved). So far so good. > > However, the host information is missing the previous data. > > If I now force the host to generate packets (eg browse a web site from the > host), the original host (before the cache miss) data reappears. However, > under these circumstances, the "First Seen" time is as of the most recent > set of packets -- even though the traffic and the protocol tabs "correctly" > contain the full set of information since ntopng was restarted. (Obviously, > I'm assuming this information is correct -- at the very least it appears > sensible). > > In addition once this state has occurred the "historical" tab contains > incorrect information. The exact state of "incorrectness" is variable, but > most often the manifestation is that the "Total Traffic" information is > lower than the original total traffic before the cache miss, but often much > more than the traffic that has occurred since the recent "First Seen" time. > ie it sits somewhere between the two. > > BTW The above behaviour is repeatable and I've now seen it four times > despite reboots and rebuilds. > > So is the above correct behaviour? I'm assuming it is incorrect; I would > have assumed that the search return from cache should have re-instantiated > the cache miss data in the first place. If the behaviour is not correct, is > there any recommended approach I should take to debug it ? I looked for an > option to debug build ntopng but didn't find one. > > Anyhow, I'm really liking the ntopng so far. It looks great and has > already helped me achieve part of my aim of figuring out the cause of some > unexplained bandwidth usage at Chez Bartlett. > > Thx > Neil Bartlett > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > > -- *The Flow is a mystery to many, and it may only be visible when it is not presen*t.
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
